California continues to be a first mover in privacy in the United States, enacting the US’s toughest and most comprehensive privacy legislation on Thursday, June 28, 2018. Unlike existing state and federal privacy legislation that has generally focused on specific sectors or privacy issues, the California Consumer Privacy Act of 2018 (AB 375), applies broadly to businesses that collect personal information about California consumers and aims to create significant new consumer privacy rights. In doing so, it creates significant new obligations for businesses.
The new law was a fast-tracked effort to stave off an aggressive California privacy ballot initiative (Ballot Initiative No. 17-0039). The Ballot Initiative’s primary sponsor Alistair Mactaggart agreed last week to withdraw his measure if lawmakers passed a comparable privacy bill before California’s June 28 deadline for finalizing propositions for California’s November General Election ballot. California lawmakers (lead by Assembly Member Ed Chau and Senators Bob Hertzberg and Bill Dodd) quickly introduced and cobbled together a bill in a matter of days, so that the bill’s language could be publicly available for the requisite 72 hours before it could be acted on by the Legislature. Within hours of this mandatory review period ending on June 28, both houses of the Legislature unanimously passed the Act and Governor Jerry Brown signed it into law. Later in the day, the California Secretary of State confirmed in a press release that the proponents had withdrawn the Ballot Initiative as agreed before it was certified for inclusion on the November ballot.
The California Consumer Privacy Act enshrines in California law individual consumer rights and business obligations that exceed far beyond those found in any other US privacy legislation to date—some of which go even further than the EU’s expansive General Data Protection Regulation (GDPR). For instance, the definition of “personal information” in the Act is incredibly broad. The Act enshrines a consumer’s right to know what personal information a business collects about them specifically and the categories of third parties to whom his or her information is sold or otherwise disclosed. This “right to know” is an expansion beyond California’s existing Shine the Light Law, which similarly requires businesses to produce upon consumer request a list of personal information types the business shares with third parties for third parties’ direct marketing purposes and such third parties’ names and addresses, but does not require such Shine the Light disclosures to be tailored to the specific individual (e.g., the disclosure can be inclusive of sharing practices for all customers). In addition, the Shine the Light Law permits businesses to altogether forego providing consumers with the names and addresses of such third parties if the business’s privacy policy either (i) commits to disclosing personal information to third parties for their own direct marketing purposes only with the consumer’s consent, or (ii) offers a cost-free means to opt-out of such disclosures. No similar alternative compliance route for the “right to know” is authorized by the Act.
Under the Act, consumers may request access to a copy of the personal information held about them by a business, which must be provided “in a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance.” The Act also grants consumers certain rights to request that businesses not sell their personal information to third parties and to request that businesses delete their personal information (subject to limited exceptions). Additionally, in certain instances, businesses are prohibited from denying service, charging a different price, or offering a different quality of goods or services to consumers that exercise their privacy rights. Further, businesses must obtain opt-in consent before selling the personal information of a consumer who is less than 16 years old.
The Act reserves primary enforcement authority to the Attorney General and limits consumers’ private right of action to data breaches, i.e., “unauthorized access and exfiltration, theft, or disclosure” of nonencrypted or nonredacted personal information. Businesses may cure alleged violations within 30 days of being notified of the suspected violation. Also, certain personal information that is subject to specific sectoral laws, like protected health information under HIPAA or personal information under the Gramm Leach Bliley Act, is excepted from the Act’s requirements.
Several provisions in the new legislation remain highly ambiguous and will likely be difficult for businesses to operationalize—a result that is not altogether surprising given the unprecedented lack of debate and full legislative process. As Hogan Lovells partner Mark Brennan notes, “Many elements of the new legislation are incredibly inartfully worded. If not fixed, a number of existing privacy-enhancing technologies and service approaches will be threatened, and consumers could ultimately end up worse off and their data more exposed to bad actors.”
The Act’s fiscal impact on the state and local government remains unclear but could present concerns similar to that estimated in the Attorney General’s official title and summary of the (now withdrawn) Ballot Initiative: “Increased costs, potentially reaching the low tens of millions of dollars annually, to state and local governments from implementing and enforcing the measure…Unknown impact on state and local tax revenues due to economic effects resulting from new requirements on businesses to protect consumer information.”
The Act does not take effect until January 1, 2020, so there is still an opportunity for it to be further refined by the California Legislature or preempted by federal comprehensive privacy legislation.
[View source.]
